Microsoft Turns On Office 365 Multifactor Authentication

Users of Microsoft's cloud-based Office 365 offering get a double dose of password security, with client apps to follow soon.

Given the likelihood that Office 365 accounts are bound to contain sensitive corporate information, Microsoft is looking to avoid the high-profile security breaches that have plagued other cloud services. To that end, the software giant announced that it has extended multifactor authentication to the Office 365 user base at large.
The security measure is no longer the exclusive domain of administrators, said Paul Andrew, an Office 365 technical product manager. "Multifactor authentication has been available for Office 365 administrative roles since June 2013, and today we're extending this capability to any Office 365 user," he wrote in a Feb. 10 blog post.
"Today, we're adding Multi-Factor Authentication for Office 365 to Office 365 Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans, including Exchange Online and SharePoint Online," said Andrew. The expansion "will allow organizations with these subscriptions to enable multifactor authentication for their Office 365 users without requiring any additional purchase or subscription."
The move is part of a broader effort by the company to harden its cloud services slate. In June 2013, Microsoft announced that it was bringing multifactor authentication, based on technology from its PhoneFactor acquisition, to Windows Azure Active Directory (AD) services, enabling users to securely access their accounts with additional credentials supplied by an app or Short Message Service text.

Microsoft officially launched the new feature in September. Scott Guthrie, now the new cloud chief at Microsoft, said at the time in a statement that organizations could finally leverage multifactor authentication to provide an extra layer of security for "Windows Azure, Office 365, Intune, Dynamics CRM and any third-party cloud service that supports Windows Azure Active Directory," plus custom applications.

In recent years, online service providers have been rocked by breaches that have caused security-conscious enterprises to regard the cloud suspiciously.
Dropbox, a popular cloud storage company, rolled out two-step authentication in 2012 after a breach that made user data susceptible to snoops. Twitter followed suit in 2013 after major accounts had been hacked. Security researchers said the recent Yahoo Mail breach would have been a non-event for users had they switched on the service's multifactor authentication options.
Microsoft is also looking to extend multifactor authentication to Office 365 client apps. Noting that users currently have a workaround by configuring App Passwords to secure their desktop apps, Andrew revealed that soon, "Office 365 customers will be able to use multifactor authentication directly from Office 2013 client applications."
"We're planning to add native multifactor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell and OneDrive for Business, with a release date planned for later in 2014," he added. The update will supplement phone-based authentication with support for third-party solutions and smart cards that conform to the U.S. Department of Defense Common Access Card (CAC) and U.S. Federal Personal Identity Verification card (PIV) security standards.